RankFlow docs
Everything you need to get started, automate via the API, and solve common issues.
Getting started
From signup to your first AI recommendation in five steps. The whole flow runs inside our onboarding wizard at /onboarding, but here's what happens at each step so you know what to expect.
1. Create your account
Sign up with email + password or "Continue with Google". We create a personal workspace and start your 14-day Pro trial automatically — no credit card needed.
2. Add your first website
Just the domain — no need for the protocol or trailing slash. We normalise https://www.example.com/some/path to example.com for you.
3. Connect Google (Search Console + Analytics)
Read-only OAuth grant. We use Search Console for top queries / CTR / impressions and GA4 for engagement metrics. Disconnect any time from the GSC site page.
4. Pick keywords to track
We pre-suggest keywords based on your domain. Pick what matters, add your own, and we'll check daily ranks (or weekly on Starter) starting tomorrow.
5. Run your first audit
Crawls up to 100 pages on Starter, 500 on Pro, 1,000 on Agency. You'll get a health score, prioritised issues, and AI-written fix recommendations — usually in 1–3 minutes.
API reference
RankFlow exposes a JSON REST API for the data you've collected. Base URL: https://rankflow.my/api/v1.
Authentication
All endpoints require a bearer token. Generate one from Settings → API. Tokens look like rf_live_… (production) or rf_test_… (sandbox).
curl https://rankflow.my/api/v1/projects \
-H "Authorization: Bearer rf_live_..."Response envelope
Every response is wrapped in { "data": …, "meta": … }. The meta block carries the live quota numbers and a server timestamp:
{
"data": [...],
"meta": {
"api_calls_today": 142,
"api_calls_limit": 1000,
"timestamp": "2026-05-11T14:00:00+08:00"
}
}Scopes
Tokens carry granular scopes. Required scope is listed per endpoint below.
read:projects— list + view sitesread:rankings— read rank tracking dataread:audit— read audit resultsread:keywords— read keyword research datawrite:audit— trigger new audits
Endpoints
| Method | Path | Scope | Description |
|---|---|---|---|
| GET | /v1/projects |
read:projects |
List sites in the workspace. |
| GET | /v1/projects/{site} |
read:projects |
Get a single site with health score + last crawled. |
| GET | /v1/projects/{site}/rankings |
read:rankings |
Active rank trackings with latest position. |
| GET | /v1/projects/{site}/rankings/{tracking}/history |
read:rankings |
Last 90 rank checks for one keyword. |
| GET | /v1/projects/{site}/audit |
read:audit |
Latest crawl batch summary + health score. |
| POST | /v1/projects/{site}/audit |
write:audit |
Queue a new audit. Returns 202. |
| GET | /v1/projects/{site}/keywords |
read:keywords |
Saved keywords with metrics. |
Rate limits
Per-plan daily caps on bearer tokens:
- Starter — no API access (upgrade to Pro)
- Pro — 1,000 calls/day
- Agency — 10,000 calls/day
Every response includes X-RateLimit-Limit and X-RateLimit-Remaining headers. When you exceed the cap you'll get 429 Too Many Requests with a reset_at timestamp in the body.
Webhooks
Register HTTPS endpoints at Settings → Webhooks to receive real-time POST requests when key events fire.
Available events
audit.completed— a crawl finished and AI summary is readyranking.changed— a tracked keyword moved ≥3 positionsbacklinks.updated— daily sync new/lost countsreport.generated— a scheduled or one-off report finished
Payload + headers
POST https://your.app/webhook
Content-Type: application/json
X-RankFlow-Event: audit.completed
X-RankFlow-Signature: 8f2c9... (HMAC-SHA256 of the raw body)
X-RankFlow-Delivery: 019e... (unique per attempt)
{
"event": "audit.completed",
"timestamp": "2026-05-11T14:00:00+08:00",
"data": { "batch_id": "...", "site_id": "...", "domain": "...", "health_score": 78 }
}Verifying signatures
Always verify the X-RankFlow-Signature header to confirm the request is from us. The signature is the HMAC-SHA256 of the raw request body using your webhook secret. Constant-time comparison only:
// Node.js
const expected = crypto.createHmac('sha256', secret).update(rawBody).digest('hex');
crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(req.headers['x-rankflow-signature']));Non-2xx responses trigger 2 retries with exponential backoff (10s, 30s, 90s) — 3 attempts total.
FAQ
Where is my data stored?
On servers in Asia (Contabo VPS). Google OAuth tokens are encrypted at rest. We never share your data with third parties.
Can I cancel any time?
Yes. From Settings → Billing. There are no contracts or cancellation fees. You keep access until the end of the period you paid for.
What's the difference between the plans?
Starter is for solo founders (3 sites, weekly rank checks). Pro is for SMEs (15 sites, daily checks, AI audit, GSC, content writer). Agency is for freelancers + agencies (unlimited sites, white-label client portal, API access, team seats).
Do you support Malay-language SEO?
Yes — defaults to MY location codes (2458 in DataForSEO), MYR pricing, and our AI keyword recommender flags Malay-language opportunities specifically.
How do I white-label reports for my clients?
Pro and Agency plans support full white-label. Upload your logo, set your brand colors, and customise the footer at Settings → Branding. Agency adds custom domain support for the client portal.
Does RankFlow work with my CMS?
Yes — we crawl any website that serves HTML. Schema markup is generated as JSON-LD that you paste into your <head>. WordPress / Webflow / Shopify / static sites all work.
Why don't I see my GSC data immediately?
GSC sync runs daily at 2 AM Asia/Kuala_Lumpur. After you connect, expect data to appear the next morning. Existing properties may take Google a day or two to populate after a fresh connection.